Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: medium
Valid

Lack of validation of decoded assets returned from OrcaleResult in `BuyerAgent::purchase` function.

Summary

Lack of validation of decoded assets returned from OrcaleResult in BuyerAgent::purchase function will DoS buyerAgents to purchase the assets because there may be a chance that the OracleResult function might also returns Assets that are not listed to current BuyerAgent. Because OracleResult is truly depends upon the Generators Output. Generators can be anybody who register in LLMOracleRegistry. And that makes OracleResult error prone.Due to which OrcleResult can sometimes return assets which are not listed to current BuyerAgent

Vulnerability Details

The BuyerAgent::purchase() function will purchase the assets returned from OracleResultwhich usually the Generated Output data from LLMOracleCoordinator. It has high chances that asset array may contain assets which are not listed to the current buyerAgent in that round , due to possible manipulation of OracleResult or any possible errors from the Generators. This will result in failure of purchase function below of the below validation check in swancontract.

function purchase(address _asset) external {
AssetListing storage listing = listings[_asset];
// can only the buyer can purchase the asset
if (listing.buyer != msg.sender) {
revert Unauthorized(msg.sender);
}
....
}

Because of this the buyerAgent can't able to purchase assets for this round.

Even because of one wrong Asset returned from the OracleResult makes the Whole OracleResult unusable. Buyer Agent have to perform another oraclePurchaseRequest , Due to which the BuyerAgent have to pay the Oracle Fee again.

Attack Scenario:

  1. Alice have a buyerAgent contract and he has some listers in his sell phase

  2. Now he want to buy the assets as he is in buy phase and will call purchase() in BuyerAgent.sol after calling oraclePurchaseRequest() to get the taskId

  3. Lack of validation of address of assets array from OracleResult may result in chance of storing an Asset which is not listed to the current BuyerAgent.

  4. So when buyerAgent tries to purchase that other buyerAgent's asset in swan it will revert as listing.buyer != msg.sender condition will revert

  5. Due to this the buyerAgent can't able to purchase assets in that round

Code : https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/BuyerAgent.sol#L222-L256

Impact

Due to this issue the buyerAgent and lister's who listed assets for this buyerAgent will be impacted. As this buyerAgent lost oracle fees which paid for LLM Coordinator for request operation. Also listers also lost the Royalties while listing assets, as their assets no more bought in this current round. Chances of acting maliciously is high.

  • Loss of Oracle Fee to the BuyerAgent Because the Current OracleResult is Unusable and also have to make another oraclePurchaseRequest

  • Loss of Royalties paid by Listers to the BuyerAgent

Tools Used

Manual Inspection

Recommendations

Add necessary checks, try/catch blocks in the BuyerAgent::purchase() to check whether the assets addresses in the assets array are belong to this buyerAgent or not.

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

0xmax1mus Submitter
9 months ago
inallhonesty Lead Judge
9 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

There is no oracle whitelisting

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.